b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n                  PUBLIC\n                 RELEASE\n\n\n      OFFICE OF THE SECRETARY\n    Improvements Needed in Controls Over\n             Approvals for and Testing of\n                         CAMS Software\n        Final Audit Report No. FSD-12940/September 2000\n\n\n\n\n       Office of Audits, Financial Statements Audits Division\n\x0cSeptember 20, 2000\n\n\nMEMORANDUM FOR:               Linda J. Bilmes\n                              Chief Financial Officer and\n                               Assistant Secretary for Administration\n                              Office of the Secretary\n\n\nFROM:                         Johnnie E. Frazier\n\n\nSUBJECT:                      Improvements Needed in Controls Over Approvals for and\n                              Testing of CAMS Software\n                              Final Audit Report No. FSD-12940\n\nThis is our final audit report on the adequacy of controls over approvals for and testing of the\nCommerce Administrative Management System (CAMS) software. Our audit found that\nalthough the CAMS Support Center has taken action during the last two years to strengthen\ncontrols over CAMS software, some CAMS Support Center management positions with\nconflicting responsibilities are held by the same personnel and that most decisions to change\nCAMS have not been adequately documented. Also, we found that system testing of most\nmodules is not performed, and system documentation does not reflect the current state of\nsoftware. We recommend that corrective actions be taken to ensure that (1) all conflicting duties\nare segregated, (2) decisions that support changes to CAMS are documented, and (3) policies\nand procedures regarding system testing and system documentation are followed. (See pages 5-\n9.)\n\nYour office\xe2\x80\x99s response to the draft report expressed general agreement with the findings and\nrecommendations, and noted corrective actions already taken. We have, where appropriate,\nincorporated your suggested changes and comments into this final report. Your complete\nresponse is included as an attachment to the report.\n\nPlease provide your audit action plan addressing the recommendations for our concurrence\nwithin 60 days of the date of this memorandum in accordance with Department Administrative\nOrder (DAO) 213-5. The plan should be in the format of Exhibit 7 of the DAO. Should you\nhave any questions regarding preparation of the audit action plan, please contact me at (202) 482-\n4661 or Thomas McCaughey, Director, Financial Statements Audits Division, at (202) 482-6044.\n\nWe appreciate the cooperation and courtesies extended to us by your staff during the review.\n\x0cU.S. Department of Commerce                                                          Final Report FSD-12940\nOffice of Inspector General                                                                   September 2000\n\nINTRODUCTION\n\nThis final report presents the results of our audit of the CAMS Support Center\xe2\x80\x99s controls over\napplication software development and change control. Application software development and\nchange control helps to prevent the implementation of unauthorized programs or modifications\nto existing programs. In conducting this financial systems audit, we used the General\nAccounting Office\xe2\x80\x99s (GAO) Federal Information System Controls Audit Manual (FISCAM) as a\nguide in our assessment. On February 22, 2000, we issued audit report No. FSD-11846-0-0001,\nImprovements Needed in the General Controls at the Commerce Administrative Management\nSystem Support Center, which addresses the other five FISCAM areas1 and is a restricted,\nlimited-distribution report.\n\nSince fiscal year 1989, the Department\xe2\x80\x99s lack of a single, integrated financial system has been\nreported as a material internal control weakness in the Secretary\xe2\x80\x99s annual reports to the President\nunder the Federal Managers\xe2\x80\x99 Financial Integrity Act. To correct this weakness, the Department\nbegan the development and acquisition of CAMS, which consists of a core financial system\ncontaining six integrated modules,2 and is to be integrated with Department-wide functional\nsystems. Currently, CAMS is functional at the Census Bureau, and EDA is using the Accounts\nReceivable and Accounts Payable modules. NOAA has implemented the Travel Manager\nmodule in CAMS, the Small Purchases module, and a majority of the Accounts Payable module.\nNOAA also has begun implementing the Purchase Card module. For fiscal year 2001, the\nDepartment plans to have the Office of Secretary operational, followed by other clients that are\ncross-serviced by NIST. By fiscal year 2002, NOAA\xe2\x80\x99s CAMS pilot at the National Oceans\nSurvey is to be in production, and NIST will begin phased implementation. The Department\nprojects that CAMS will be fully implemented by fiscal year 2004.\n\nOversight of the CAMS program is the responsibility of the CAMS Executive Board, which sets\npolicy, provides budget and resources for implementation, gives guidance when conflicts of\npriorities occur, and reports to the Department\xe2\x80\x99s Chief Financial Officer (CFO) through the\nDeputy CFO. The Deputy CFO has operational control over the CAMS Support Center, located\nin Gaithersburg, Maryland. The Support Center, through the use of contractors, is responsible\nfor making changes to CAMS as part of its software development and implementation activities.\n\n\n\n\n        1\n           Entitywide security program planning and management, access control, system software, segregation of\nduties, and service continuity.\n\n        2\n       General Ledger, Accounts Payable, Accounts Receivable, Cost Accumulation, Budget/Funds\nManagement, and Financial Reporting.\n\n                                                       2\n\x0cU.S. Department of Commerce                                                            Final Report FSD-12940\nOffice of Inspector General                                                                     September 2000\n\nThese changes are first assessed by the Technical Advisory Council3 (TAC), which provides a\nrecommendation to the Software Change Control Board 4 (SCCB) for a decision. Items that\nsignificantly affect resource utilization or prioritization are elevated to the CAMS Executive\nBoard for resolution. As of May 1, 2000, the Support Center had 30 government employees and\n58 contractor employees.\n\nThe Support Center has three divisions:\n\nl The Technical Support Division performs application software design, programming, and\n  maintenance; manages the CAMS software change release and system architecture; tests\n  software; and provides support for the Support Center\xe2\x80\x99s internal infrastructure.\n\nl The System Support Division handles the functional aspects of CAMS, provides customer\n  support to the bureaus, and maintains system documentation and CAMS training materials.\n  This division is also responsible for inspecting the software for quality assurance and\n  control.\n\nl The Program Support Division provides support for general and contract administration,5\n  and program management for performance measurement and independent verification and\n  validation of CAMS and the Support Center.\n\nOver the past 2 years, the Support Center has taken steps to improve its operations. For\nexample, the Support Center has started the process for implementing the Capability Maturity\nModel for Software,6 and for attaining the model\xe2\x80\x99s Level 2 maturity level \xe2\x80\x93 where development\nprocesses are considered \xe2\x80\x9crepeatable.\xe2\x80\x9d This level permits management to institutionalize\nsuccessful processes developed on earlier projects. In addition, the Support Center involves\n\n\n        3\n           The TAC is chaired by the Support Center\xe2\x80\x99s functional architect and is composed of bureau functional\nand information technology system experts. The TAC is to assess proposed changes\xe2\x80\x99 software functionality,\ntechnical feasibility, and impacts on performance, and to recommend approaches to the Software Change Control\nBoard.\n        4\n           The SCCB is chaired by the Support Center\xe2\x80\x99s Program Manager and is composed of the bureaus\xe2\x80\x99\nfinancial officers and CAMS implementation managers. The SCCB votes on the proposed changes to CAMS\nfunctionality and requirements that are proposed by the TAC.\n\n        5\n            NOAA also provides support to the CAMS Support Center for contract administration.\n\n        6\n           The model, developed by the Software Engineering Institute of Carnegie Mellon University, is used to\njudge the maturity of an organization\xe2\x80\x99s software processes and to identify the key practices that are required to\nincrease the maturity of these processes.\n\n                                                        3\n\x0cU.S. Department of Commerce                                                           Final Report FSD-12940\nOffice of Inspector General                                                                    September 2000\n\nCommerce bureaus in defining CAMS change requirements, is establishing a formal quality\nassurance process over its software development, and uses lessons-learned practices for\nassessing its recently revised software release cycle.\n\nThe audit was conducted in accordance with Government Auditing Standards issued by the\nComptroller General of the United States, and was performed under the authority of the\nInspector General Act of 1978, as amended, and Department Organization Order 10-13, dated\nMay 22, 1980, as amended.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe audit\xe2\x80\x99s objective was to determine whether the CAMS Support Center had established\nadequate controls over the approvals for and modification of CAMS software. The scope of the\naudit was to assess the existence of (1) proper authorizations for processing features and\nprogram modifications, (2) adequate tests and approvals for new and revised software, and (3)\nproper controls over software libraries. We address our concerns for the first and second\nobjectives in the following sections. We did not identify any deficiencies for the third objective\nduring our review. We did not perform tests7 of the Support Center\xe2\x80\x99s workload regarding\nchange requests8 to CAMS software because the Support Center had only formalized and issued\nits new software development and maintenance procedures on May 8, 2000. Of the 633 change\nrequests logged for fiscal year 2000 (as of May 17, 2000), only 35 (6 percent) had been made\nunder these new procedures; thus, historical data was too limited for us to make a valid\nconclusion.\n\nWe performed our review from April through June 2000 by interviewing Support Center\nmanagement and staff; reviewing policies and procedures, change request workload, and quality\nassurance processes; identifying and assessing control techniques consistent with current\nindustry standards and compliance with government guidelines and regulations; gaining an\nunderstanding of the general controls structure surrounding the Support Center\xe2\x80\x99s software\ndevelopment and maintenance environment; and assessing risks surrounding the areas of key\nmanagement and software development and change control. During the review and at its\nconclusion, we discussed our findings with the Support Center\xe2\x80\x99s program manager and division\ndirectors.\n\n\n        7\n          Such tests usually include evaluating whether the requests were documented in accordance with policies\nand procedures, prioritized based on criticality, reviewed by management, authorized/approved for programming,\nand adequately tested.\n\n        8\n         A change request (activity request) provides the Support Center with an overview of the software\nproblem and serves as a starting point for further functional and technical analysis.\n\n                                                       4\n\x0cU.S. Department of Commerce                                                           Final Report FSD-12940\nOffice of Inspector General                                                                    September 2000\n\n\n\n                              FINDINGS AND RECOMMENDATIONS\n\nI. Additional Improvements Are Necessary for the Controls\n   over Approvals of Software Features and Modifications\n\nThe Support Center formalized and issued new software development and maintenance\nprocedures on May 8, 2000. Our review found that, although the Support Center has taken\nactions to improve its operations, additional improvements are needed in the controls over\napprovals of CAMS software features and change modifications. Specifically, we found that\nsome CAMS Support Center management positions with conflicting responsibilities are held by\nthe same personnel, and that decisions to change CAMS have not been adequately documented.\n\nA. Some CAMS Support Center management positions with\n   conflicting responsibilities are held by the same personnel\n\nWhile assessing the key management controls in place at the Support Center, we found that\nsome management positions with conflicting responsibilities are held by the same personnel.\nFor instance, a lack of segregation of duties exists because the director positions for the\nTechnical Support Division (TSD) and the Systems Support Division (SSD) are currently\nhandled by the same person. According to documentation provided by the Support Center, one\nof TSD\xe2\x80\x99s main responsibilities is to maintain and develop program code that implements\napproved CAMS changes and enhancements, while SSD is responsible for improving software\nquality by enforcing compliance with development standards. With the same individual\nresponsible for overseeing and administering both of these areas, excessive emphasis placed on\none area could result in deficiencies remaining unaddressed in the other.\n\nGAO\xe2\x80\x99s Standards for Internal Control in the Federal Government, issued in November 1999,\nstate that program managers should implement appropriate and effective internal controls to\nbetter achieve program results and to help in managing change from shifting environments and\nevolving demands and priorities. Internal control activities, such as approvals and\nauthorizations, aid in the segregation of duties, and should be used to ensure that management\ndirectives are carried out.\n\nAlthough the Support Center maintained that the lack of segregation of duties has resulted from\na shortage of personnel,9 we believe that sound business practices, policies, and procedures for\n\n\n        9\n          As of May 2, 2000, there were nine vacancies at the Support Center (one director, four team leaders,\nthree computer specialists, and one team member). The Support Center management had shifted responsibilities\nfrom some of these vacant positions to existing staff.\n\n                                                       5\n\x0cU.S. Department of Commerce                                              Final Report FSD-12940\nOffice of Inspector General                                                       September 2000\n\nsegregation of duties should be implemented as mitigating controls. By allowing one person to\nhave responsibility over conflicting duties, effective planning and management lessen and risks\nincrease.\n\nB. Decisions to change CAMS have not been adequately documented\n\nDecisions made by the CAMS Software Change Control Board were not documented.\nDocumentation for decisions that support approved changes to CAMS should include (1) input\nreceived from the bureaus, (2) the potential impact of each change on the Support Center\xe2\x80\x99s\nactivities and workload, and (3) any recommendations to the CAMS Executive Board. The\nSupport Center could not provide us with documentation concerning decisions made by the\nSCCB on proposed CAMS software changes. Nor could the Support Center provide us with\ndocumentation on its briefings to the CAMS Executive Board regarding proposed changes to\nCAMS and the resulting Executive Board decisions. The Support Center maintained only the\nCAMS Executive Board\xe2\x80\x99s agendas on topics for discussion.\n\nAs previously mentioned, the SCCB is chaired by the Support Center\xe2\x80\x99s Program Manager and is\ncomposed of the bureaus\xe2\x80\x99 financial officers and CAMS implementation managers. The SCCB\xe2\x80\x99s\nresponsibility is to vote on the proposed changes to CAMS functionality software and\nrequirements that are proposed by the TAC. In addition, the SCCB is to set priorities for\nsoftware modifications to be performed by the Support Center.\n\nGAO\xe2\x80\x99s Standards for Internal Control in the Federal Government state that internal control\nactivities help to ensure that management directives are carried out. Maintaining appropriate\ndocumentation of approvals or disapprovals of proposed changes is one of these activities.\nInternal controls such as approvals need to be clearly documented, and documentation should\nbe readily available for examination.\n\nWe found that when the TAC decided on proposed changes to CAMS, it notified the SCCB;\nhowever, the SCCB\xe2\x80\x99s decisions were not documented. To illustrate, on September 23, 1999, the\nCensus Bureau and the Support Center agreed through two memorandums of understanding\n(MOU) to have the Support Center provide software development services to Census. The\nSupport Center was to complete the design and programming of an archiving module for CAMS\nand to deliver the module\xe2\x80\x99s software to Census upon completion. Census noted that this\nmodule would provide the means for removing transactions from online processing, retiring\ntransactions, and providing access to archived transactions as needed. The MOUs\xe2\x80\x99 performance\nperiods were from September 1999 through September 2000, and through the MOUs, Census\nprovided over $340,000 to the Support Center for the work to be done. However,\ndocumentation of the SCCB\xe2\x80\x99s decision on these MOUs\xe2\x80\x93either approval or disapproval\xe2\x80\x93was not\nmaintained.\n\n\n                                               6\n\x0cU.S. Department of Commerce                                                 Final Report FSD-12940\nOffice of Inspector General                                                          September 2000\n\nEven though the Support Center has experienced software development personnel who have\nhistorical knowledge of the system and its requirements, GAO\xe2\x80\x99s standards requiring the\nmaintenance of adequate approval documentation for changes to CAMS have not been\nadequately followed. Failing to document approvals limits management\xe2\x80\x99s ability to support and\njustify its decisions.\n\nC. Recommendations\n\nWe recommend that the Director for Financial Management and Deputy CFO require the CAMS\nSupport Center Program Manager to:\n\n1. Segregate duties having conflicting internal control responsibilities.\n\n2. Implement and enforce GAO\xe2\x80\x99s standards to document all decisions that support approved\n   changes to CAMS. Such documentation should include (a) input received from the bureaus,\n   (b) the potential impact of each approved change on the Support Center\xe2\x80\x99s activities and\n   workload, (c) the CAMS Software Change Control Board decisions, and (d) the Support\n   Center\xe2\x80\x99s briefings to the CAMS Executive Board regarding proposed changes to CAMS and\n   the resulting Executive Board decisions.\n\nDirector for Financial Management and Deputy CFO\xe2\x80\x99s Response and OIG Comments\n\nIn his written response to the draft report, the Director and Deputy CFO agreed with our\nfindings and recommendations and stated that corrective actions have been initiated. On July\n20, 2000, the Support Center hired a new Director for TSD. Further, the Support Center will\nhave each proposed software change go through functional and technical assessments and\nobtain approvals from both TSD and SSD. Also, between June 20 and August 7, 2000, the\nSupport Center reported that it provided training for all its government staff on how to conduct\nand document effective meetings and that documentation will be enforced as a policy for all\ndecision bodies associated with CAMS. The actions are consistent with the intent of the\nrecommendations.\n\nII. Improvements Are Still Needed in Controls over\n    Testing of New and Revised Software\n\nThe Support Center does not perform system (regression) testing of most CAMS modules.\nSystem testing verifies that changes or additions to CAMS software have not caused\nunintended effects to CAMS and also examines the operation of CAMS as an overall entity or\nsystem. In addition, system documentation was not updated to reflect the current state of CAMS\nsoftware code.\n\n\n                                                7\n\x0cU.S. Department of Commerce                                                     Final Report FSD-12940\nOffice of Inspector General                                                              September 2000\n\nA. System Testing Is Not Performed for Most CAMS Modules\n\nAfter reviewing the Support Center\xe2\x80\x99s processes, practices, and documentation and interviewing\nkey management officials, we found that system testing was performed for only the Accounts\nPayable module, which uses over 800 automated test scripts for testing. Though test scripts are\navailable for other CAMS modules, the Support Center had not programmed them into the\ntesting software. The Support Center stated that the reason for not fully testing most modules is\nthe shortage of personnel.\n\nGAO\xe2\x80\x99s FISCAM establishes control guidance for application software development and change\ncontrol. The manual states that software should undergo a disciplined process of testing and\napproval prior to implementation in order to ensure that it operates as intended. Such testing\nshould include unit, integration, and system testing.\n\nWe believe that sound business practices, policies, and procedures for determining the\nappropriate level of software testing that should occur have not been adequately followed. A\nlack of complete system testing reduces the Support Center\xe2\x80\x99s assurances that software will\noperate as intended.\n\nB. System Documentation Does Not Reflect the Current State of the CAMS Software\n\nCAMS system documentation has not been updated to reflect the current state of the software.\nOn November 22, 1999, an independent software-process appraiser contracted to assess the\nSupport Center\xe2\x80\x99s software maturity level reported that the documentation was \xe2\x80\x9cwoefully\xe2\x80\x9d out of\ndate. Internal policies and procedures promulgated by the Support Center for updating existing\nsystem documentation have not been adequately followed. The system documentation needs to\nbe updated in order to reflect the current software version. As GAO has stated,10 controls over\nthe design, development, and modification of application software help prevent security features\nfrom being inadvertently or deliberately turned off and process irregularities or malicious code\nfrom being introduced. During our audit, the Support Center, through one of its contractors,\nprovided an individual to maintain the documentation.\n\nFISCAM provides control guidance over changes in programming and developing related\nchanges to system documentation, including hardware documentation, operating procedures,\nand user procedures. System documentation will facilitate coding and testing of future\nmodifications.\n\nThe lack of adequate documentation increases the risk that CAMS software may not meet\noperational needs. Also, outdated system documentation could result in significant delays and\n\n\n        10\n           Financial Management Service - Significant Weaknesses in Computer Controls, GAO/AIMD-00-4,\nOctober 9, 1999.\n\n                                                   8\n\x0cU.S. Department of Commerce                                                Final Report FSD-12940\nOffice of Inspector General                                                         September 2000\n\ncosts when future modifications are made to the software. Given the Department\xe2\x80\x99s lengthy\nhistory of implementing CAMS, coupled with CAMS Support Center staff turnovers, we believe\nthat system documentation is important to ensure continued operations.\n\nC. Recommendations\n\nWe recommend that the Director for Financial Management and Deputy CFO require the CAMS\nSupport Center Program Manager to:\n\n1. Enforce policies and procedures for performing system (regression) testing of all CAMS\n   modules and ensure that the results are documented.\n\n2. Adhere to policies and procedures that require system documentation to be updated as\n   changes are made to accurately reflect the current version of software.\n\nDirector for Financial Management and Deputy CFO\xe2\x80\x99s Response and OIG Comments\n\nThe Director and Deputy CFO agreed with our findings and recommendations and stated that\ncorrective actions have been initiated. On May 23, 2000, the Support Center awarded and\ntasked its contractor to provide additional testing staff as part of the Support Center\xe2\x80\x99s\ntechnology migration/refreshment effort. The Support Center projects that when this effort is\ncompleted in May 2001, test scripts will have been loaded into the automated testing software\nfor all CAMS modules and changes thereafter to the CAMS software will be subjected to full\nsystem testing. In addition, the Support Center will have the new Director for TSD assess the\nstate of and need for internal systems documentation of CAMS and will develop a plan by\nSeptember 30, 2000. In fiscal year 2001, the Support Center will begin efforts to rectify the lack\nof user documentation. These actions are consistent with the intent of the recommendations.\n\nAttachment\n\ncc: James L. Taylor, Director for Financial Management and Deputy Chief Financial Officer\n    Robert R. Bair, CAMS Support Center Program Manager\n    Roger W. Baker, Chief Information Officer\n\n\n\n\n                                                9\n\x0c\x0c\x0c'